‼ CVE-2021-20377 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Guardium 11.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 195569.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20484 ‼
📖 Read
via "National Vulnerability Database".
IBM Sterling File Gateway 2.2.0.0 through 6.1.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 197666.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20434 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 196346.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-4803 ‼
📖 Read
via "National Vulnerability Database".
IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189535.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-4690 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Guardium 11.3 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 186697.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29800 ‼
📖 Read
via "National Vulnerability Database".
IBM Tivoli Netcool/OMNIbus_GUI and IBM Jazz for Service Management 1.1.3.10 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-4809 ‼
📖 Read
via "National Vulnerability Database".
IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189633.📖 Read
via "National Vulnerability Database".
❌ 100M IoT Devices Exposed By Zero-Day Bug ❌
📖 Read
via "Threat Post".
A high-severity vulnerability could cause system crashes, knocking out sensors, medical equipment and more.📖 Read
via "Threat Post".
❌ 5 Tips for Achieving Better Cybersecurity Risk Management ❌
📖 Read
via "Threat Post".
Casey Ellis, founder, CTO and chairman of Bugcrowd, discusses a roadmap for lowering risk from cyberattacks most effectively.📖 Read
via "Threat Post".
Threat Post
5 Tips for Achieving Better Cybersecurity Risk Management
Casey Ellis, founder, CTO and chairman of Bugcrowd, discusses a roadmap for lowering risk from cyberattacks most effectively.
🔏 NYDFS Clarifies Portions of Cybersecurity Regulation in Update 🔏
📖 Read
via "".
The New York Department of Financial Services has updated its guidance on incidents affecting third party services and multi-factor authentication.📖 Read
via "".
Digital Guardian
NYDFS Clarifies Portions of Cybersecurity Regulation in Update
The New York Department of Financial Services has updated its guidance on incidents affecting third party services and multi-factor authentication.
👍1
🦿 Here's a fix for open source supply chain attacks 🦿
📖 Read
via "Tech Republic".
Commentary: Open source has never been more popular or more under attack, but there's something cloud providers can do to make OSS more secure.📖 Read
via "Tech Republic".
TechRepublic
Here's a fix for open source supply chain attacks
Commentary: Open source has never been more popular or more under attack, but there's something cloud providers can do to make OSS more secure.
‼ CVE-2021-41088 ‼
📖 Read
via "National Vulnerability Database".
Elvish is a programming language and interactive shell, combined into one package. In versions prior to 0.14.0 Elvish's web UI backend (started by `elvish -web`) hosts an endpoint that allows executing the code sent from the web UI. The backend does not check the origin of requests correctly. As a result, if the user has the web UI backend open and visits a compromised or malicious website, the website can send arbitrary code to the endpoint in localhost. All Elvish releases from 0.14.0 onward no longer include the the web UI, although it is still possible for the user to build a version from source that includes the web UI. The issue can be patched for previous versions by removing the web UI (found in web, pkg/web or pkg/prog/web, depending on the exact version).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-19949 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the /link/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-19951 ‼
📖 Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) in /controller/pay.class.php of YzmCMS v5.5 allows attackers to access sensitive components of the application.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-19950 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the /banner/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.📖 Read
via "National Vulnerability Database".
⚠ STILL ALIVE! iOS 12 gets 3 zero-day security patches – update now ⚠
📖 Read
via "Naked Security".
It wasn't dead, just resting.📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
❌ REvil Affiliates Confirm: Leadership Were Cheating Dirtbags ❌
📖 Read
via "Threat Post".
After news of REvil's rip-off-the-affiliates backdoor & double chats, affiliates fumed, reiterating prior claims against the gang in "Hackers Court."📖 Read
via "Threat Post".
Threat Post
REvil Affiliates Confirm: Leadership Were Cheating Dirtbags
Following the discovery of REvil's rip-off-the-affiliates backdoor and double chats, those affiliates fumed on the underground, pointing to negotiations that ended abruptly just before payment came.
‼ CVE-2021-41584 ‼
📖 Read
via "National Vulnerability Database".
Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-31923 ‼
📖 Read
via "National Vulnerability Database".
Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41583 ‼
📖 Read
via "National Vulnerability Database".
vpn-user-portal (aka eduVPN or Let's Connect!) before 2.3.14, as packaged for Debian 10, Debian 11, and Fedora, allows remote authenticated users to obtain OS filesystem access, because of the interaction of QR codes with an exec that uses the -r option. This can be leveraged to obtain additional VPN access.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41581 ‼
📖 Read
via "National Vulnerability Database".
x509_constraints_parse_mailbox in lib/libcrypto/x509/x509_constraints.c in LibreSSL through 3.4.0 has a stack-based buffer over-read. When the input exceeds DOMAIN_PART_MAX_LEN, the buffer lacks '\0' termination.📖 Read
via "National Vulnerability Database".